Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get a Verified Create Badge for the REUSE Action #31

Open
janderssonse opened this issue Jun 24, 2024 · 2 comments
Open

Get a Verified Create Badge for the REUSE Action #31

janderssonse opened this issue Jun 24, 2024 · 2 comments

Comments

@janderssonse
Copy link

janderssonse commented Jun 24, 2024
edited
Loading

I suggest, in order to raise further trust and calm the security people :) :) that this project would try to get the action GitHub verified. Currently, what it really, really implies for the project is a bit of mystery, but hopefully N.G.O's should be as ok as non ngo's
s, it most likely involves a bit of security policy practice, example from someone that succeded - https://github.com/orgs/community/discussions/25265#discussioncomment-3247173.

Why is this potentially good? Well, some GitHub organisations have strict security policies - and choosen to tick the "Allow
Allow actions created by GitHub
Allow actions by Marketplace verified creators, and this would make the REUSE action viable for them.

So, it would further raise the trust bar for organizations looking to use the REUSE action in CI pipes.

Note: I'm aware of that the REUSE project is looking to move to other hosting alternatives long term (fsfe/reuse-tool#865). But, Until that happens - and even after, this would still be relevant, as a GitHub Action still might be published).
@janderssonse janderssonse changed the title Get a Verified Create Badge for that REUSE Action Get a Verified Create Badge for the REUSE Action Jun 24, 2024
@mxmehl
Copy link
Member

mxmehl commented Jun 24, 2024

Phew, that looks like a painful and intransparent process. While I think the GitHub action will persist even if reuse-tool moves away from GitHub, I am not even sure how to start tackling this without wasting too much time knocking at doors.

@janderssonse
Copy link
Author

janderssonse commented Jun 25, 2024
edited
Loading

Are you sure that so much needs to be done so it is painful - how would one know if not asking? :)
I guess all that needs to be done to find out is sending a short mail and ask - "What steps needs to be done to get a verified creators badge for the GitHub Action of REUSE" and the project will most likely find out. From the given example it looks like "2fa enabled" for the organisation and a "verified organisation domain (for FSFE)" is two of the checks to fulfill. The domain one you already fulfill, as shown on your verified org, and I guess you have enabled 2fa also already.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mxmehl @janderssonse